Schneier on Security
A blog covering security and security technology.
« Monopoly Sets for WWII POWs: More Information |
| The Onion on Security »
September 24, 2009
Sears Spies on its Customers
It's not just hackers who steal financial and medical information:
Between April 2007 and January 2008, visitors to the Kmart and Sears web sites were invited to join an "online community" for which they would be paid $10 with the idea they would be helping the company learn more about their customers. It turned out they learned a lot more than participants realized or that the feds thought was reasonable.
To join the "My SHC Community," users downloaded software that ended up grabbing some members' prescription information, emails, bank account data and purchases on other sites.
Reminds me of the 2005 Sony rootkit, which -- oddly enough -- is in the news again too:
After purchasing an Anastacia CD, the plaintiff played it in his computer but his anti-virus software set off an alert saying the disc was infected with a rootkit. He went on to test the CD on three other computers. As a result, the plaintiff ended up losing valuable data.
Claiming for his losses, the plaintiff demanded 200 euros for 20 hours wasted dealing with the virus alerts and another 100 euros for 10 hours spent restoring lost data. Since the plaintiff was self-employed, he also claimed for loss of profits and in addition claimed 800 euros which he paid to a computer expert to repair his network after the infection. Added to this was 185 euros in legal costs making a total claim of around 1,500 euros.
The judge's assessment was that the CD sold to the plaintiff was faulty, since he should be able to expect that the CD could play on his system without interfering with it.
The court ordered the retailer of the CD to pay damages of 1,200 euros.
Posted on September 24, 2009 at 6:37 AM
• 31 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Why is the retailer on the hook for this? It should be Sony. If there was poison in a can of soda, it wouldn't be the retailer's job to cover the damages. I agree that the plaintiff was damaged, but I disagree by who. Are retailers now going to require malware detection on all CDs they sell in order to protect themselves?
In many parts of europe there is consumer legislation that starts "at the point of sale".
The advantage for the person here is that a judgment was reached in short order without having to fight the might od the Sony-Corparate Legal hit squad.
It will be interesting to see if the case sets a president...
Sony usually claim you are "not buying" the music just a "limited license to play".
This could have serious consiquences for other items sold on a ditrubution media under a "licence to use". I suspect the Microsoft legal beagles are sniffing their way through it already...
Thank you for pointing out my USA bias! Even though the article/summary gives every indication that the incident did not happen in the USA, I assumed it had.
On your other topic (licenses, etc), I agree it is interesting. From a "common sense" point of view, I think Sony should be liable for anything they intentionally put on a CD. Otherwise, they could put anything they want on it, and not be held liable.
In a lawsuit in the US the first thing you do is make a list of the 2 or 3 people out of the entire country who could not possibly, remotely have the slightest connection to anything that ever occurred anywhere near the subject in question. Then you sue everyone not on the list you just made. Then the victims of your attack pay an attorney to bitch about being on the list and a judge throws 90% of them out. Whoever is left pays the cover charge for the game.
So Sony (who we all agree masterfully played the role of antichrist in this event) may get off completely free, but Joe Pinata, the paperboy who delivered the Sunday News to the plaintiff the week before which contained the ad which motivated the plaintiff to go to Record City and buy the CD in the first place, winds up paying 7,000 times his annual earnings in penalty because he couldn't afford a good attorney.
ISTR that the case here was where a _used_ CD was sold and the buyer argued that the seller shouldn't have called it a "CD" if it obviously wasn't. Or maybe I'm mixing two cases in my head.
Anyway, yes, in Germany (and Austria as well), the SELLER is responsible for the item sold and for the fact that it fullfills any promises he made and isn't defective.
Just another reason why I am boycotting Sony in all regards, no matter how "superior" their technology may be. Because of this, they have lost sales to me for an HD TV, digital audio recorder, numerous CD's and DVD's, mp3 player, AIT tape drive, ... They will NEVER get another penny from me as long as I can help it.
Maybe that's the solution ... instead of massive, once-in-awhile class action suits benefiting only the lawyers, perhaps thousands (or tens of thousands) of small claims cases against the companies using rootkits and other system-disabling spyware (and/or DRM) will be the straw to break their backs.
Boycotts don't work unless you say you'll buy from them again when they clean up their act. What's their incentive to change if you just say you'll "never" buy from them again?
I mean, Sony, *does* hate its customers, as they've shown time and time again. But maybe one day someone new will step in and clean house.
In Europe the retailer is held responsible as this is the only one the customer has a contract with.
As you don't have a contract with the manufacturer, you usually can't have any claims against him either. In a second step, the manufacturer is liable to recourse to the retailer.
This is the law over the first two years after a purchase. After two years, it's up to the manufacturer to offer voluntary warrenty.
Bruce wrote that the news about Sears reminds him of the Sony case, not that they are related
Strange news about Sears/Kmart. (I believe the two stores merged a few years back, shortly after Kmart went through bankruptcy. The merged corporation is the Sears Holding Company.)
The first sign of trouble for users should have been an "online community" that requires members to download special software. Can't the "online community" be implemented through some form of secured-sign-in web page, with a side dish of email and/or bulletin board?
I've seen the "go to this website and tell us about your shopping experience" offers on receipts from other big-box retailers. Usually, there's a promotional hook, some sort of drawing for a $5000-gift-card at the store.
I've also seen this done by manufacturers...I've found ads for a "user group website", on food products like caramel dip for apples. I've also found such things on bottles of automobile oil purchased in an auto-parts shop. (One of the two had a prize drawing, I honestly can't remember which one it was.)
Usually such sign-ups want information on where the user purchased the goods, and what the normal use of them is. Often, they offer some incentive to purchase the same stuff again. There's also the incentive of belonging to a special group of people who have discovered all the good things about the product.
Generically, it seems that many stores and manufacturers are trying to get into the market for selling information about customer's purchasing habits.
Strange indeed that someone at Sears felt the need to use some sort of downloaded malware, and went looking for more personal information than purchasing habits.
It might have been seen as a good business idea from the perspective of targeting users, but it definitely crossed the line into malicious behavior with the customer's computer system.
Even if the customer had to download the malware to expose themselves.
I believe when someone says "I will never buy from you again" there is an implied "until you make restitution/fix the problem/change your process".
What about all the cool movies that Sony produces/distributes? Are you going to miss Spiderman 4?
Even if there's no implied "I'll buy from you again if you make restitution," the target of a forever-boycott may understand that _more_ consumers will boycott them if they don't change their behavior.
Not buying from Sony gets less easy. Columbia is now Sony, I see.
At the time of the original rootkit, I thought there was anti-computer-vandalism law on the books that would have covered a rootkit. Was I wrong? There were no prosecutions.
I know everyone has deadlines and Editors are usually (ir)responsible but really...
"Sears gets mere wrist slap for allegedly spying on customers"
If they have the consent order entered against them isn't that a finding of fact?
But should we expect the federal government to be zealous in defending privacy rights when they still have use and don't wanna give up the survellience rights they have under the Patriot Act?
I haven't trusted Sony since the first Vaio computers came out with DRM hooks built into the BIOS.
"Bruce wrote that the news about Sears reminds him of the Sony case, not that they are related."
Not related at all. Just two examples of companies hacking their customers.
"Just another reason why I am boycotting Sony in all regards, no matter how 'superior' their technology may be."
It's a pity; I really like their laptops.
"The first sign of trouble for users should have been an "online community" that requires members to download special software."
Admittedly, most of us already have and are more or less comfortable with Flash, Java, WinAmp, etc, but it still comes down to blindly trusting Microsoft, Adobe/Macromedia, Sun, Mozilla, and so on to protect you from all of the malware that you casually expose yourself to on a daily basis. Most users will download and install anything w/o a thought if you promise them something shiny and/or free.
While DRM is not as much of an issue for open source users in general, FreeBSD allows you to substitute your own ACPI code for the vendor's during boot. So anyone who is not committed to running MS Windows and willing to do the work (or trust someone else who already has) can have a DRM-free BIOS on the hardware of their choice.
This won't deter vendors from DRMing it of course, but you can always buy your hardware used from people who are dissatisfied with that "feature".
The Sony that makes and sells CDs isn't quite identical with the Sony that makes and sells appliances and computer gadgets. At least back when the rootkit stuff went down, the CD-selling Sony was actually called »Sony BMG Music Entertainment«, and was a joint venture between what used to be CBS Records (which was acquired by the American subsidiary of Sony in 1988 and renamed »Sony Music Entertainment«) and BMG, a subsidiary of the giant German publishing house Bertelsmann. This joint venture was dissolved in 2008.
But this case wasn't in the US. Suing the person you had direct contact with makes perfect sense -- you have a contract with that person, and they are responsible for what they sell. Then they can sue back to their vendor, and so on.
This is a way to handle those partial externalities -- if everyone is responsible to the next person in line, then the chain of actions will propagate throughout the network. On the other hand, if the ultimate victim has to sue the ultimate fraudster, then for most of the relationships in between, it is a relative externality.
And it does have to be judicially enforced, and not depend on the "magical market", where the costs of losing business at the consumer end is so much less than the cost of pissing your gigantic vendor.
The part that amuses me most: He put the CD in one computer, got a virus warning, and subsequentially tested the CD on three other computers and now claims for data loss. Isn't it pure stupidity, running a CD that is suspected/known to contain a virus/rootkit/whatever in an unprotected PC?
If I were the judge, he wouldn't have seen a single cent for that stunt.
@spaceman_spiff: I'm sure they will cry over the lost business... :-P
(on a side note: be glad that you didn't buy the AIT drive.. I found them to be of questionable quality.)
I'm quite amused about people claiming to boycott Sony since the rootkit issue.. and yet they don't know that every second DVD or CD they buy comes from Sony or is pressed at their plant even if it's not visible on the cover, their LCD TV probably contains Sony chips or panel, and they unknowingly use dozens of items that contain Sony components in everyday life.
The rootkit issue is almost a decade old already.. get over it. Besides, back at that time it wasn't even Sony but Bertelsmann under the SonyBMG conglomerate.
"The part that amuses me most: He put the CD in one computer, got a virus warning, and subsequentially tested the CD on three other computers and now claims for data loss. Isn't it pure stupidity, running a CD that is suspected/known to contain a virus/rootkit/whatever in an unprotected PC?"
That is 20/20 Hindsight thinking.
If you where unaware of the Sony Rootkit debacle (and many people are) and you have what looks like a perfectly legitimate "Audio CD" in good condition (that may or may not have been tried in a conventional player)
It is more likley you would think it was either the computer or the virus software that was at fault not that there was a hidden "Data track" on an "Audio CD" which contained a computer virus.
It was this very unexpected "data on an Audio CD" asspect that made the people responsable for it belive it would (and did) work.
Remember the rootkit was found by a security researcher only after they had accidently infected on of their test machines and then noticed abnormal behaviour on the machine.
Far from throwing the claim out the Judge probably considered that the merchant being "of the trade" should have been aware of which "Audio CDs" where affected as a matter "of practicing the trade", and therfore was "deliberatly negligent" in not disclosing this at the time of sale.
Its interesting that this time around, the anti-virus software notified the user of the infection. The previous sony snafu was did not appear to be caught by anti-virus software.
Am on my phone so not easy to look up, but there was a story about a mySears or such site that allowed you, or anyone who knows your address, to look up all your purchases since the 1970s.
I agree with Woo about putting the CD in other computers being amusing. The Sony rootkit made big news and wasn't something obscure that nobody every heard about. Personally, I think that people who put a CD in one computer and get an alert from their virus protection software and then _Ignore_ the warning of the software they are trusting to protect them don't deserve compensation for any additional computers they infect. It's like continuing to drive 20 miles to home when your oil light lights. People should know better! The only compensation I believe is due is what was required to recover the first computer infected.
@woo: "The rootkit issue is almost a decade old already.. get over it."
Just what kind of special maths are you using to round 4 years up to more than 10 years?
This reminds me of the whole Sears / Prodigy issue, where it was discovered that the Prodigy client software was creating a huge STAGE.DAT file of all the users' data files and uploading it in the background to Sears.
What's disturbing about it was how low-profile the whole case was, how quickly it disappeared, and how easily it was excused, in general.
Correction: after some research I discovered :
Prodigy was accused in late 1990 and early 1991 of spying on its users. The evidence offered was bits and pieces of user data showing up in two files created by the software installed on subscribers' PCs: STAGE.DAT and CACHE.DAT. Prodigy's response was that the data was never transmitted; in fact, their software was preallocating disk space but not zeroing it before use -- a conscious choice intended to reduce startup time on slow home computers. The unzeroed storage contained fragments of data from deleted user files. In an attempt to mitigate the bad publicity, Prodigy sent users on request a floppy disk labeled "Prodigy Stage/Cache Utility Software" which contained a program to zero out the STAGE.DAT and CACHE.DAT files, eliminating the data.
Schneier.com is a personal website. Opinions expressed are not necessarily those of BT.